Go to DBLP homepageMateen: Adaptive Ensemble Learning for Network Anomaly Detection
Abstract: Anomaly-based intrusion detection systems are tasked with identifying deviations from established benign network behaviors, assuming such deviations to be indicators of malicious intent. Deep AutoEncoders (DAEs) have become increasingly popular in these systems due to their exceptional ability to model benign behavior with high accuracy, particularly in static, offline settings where the network’s benign activity pattern is presumed to remain constant. However, this static approach becomes less effective as network behavior naturally evolves, leading to challenges in distinguishing new, benign activities from genuine threats. This evolution raises a critical question: How can we enhance offline DAEs to accurately identify threats while avoiding false alarms caused by benign behavior changes?To address this question, we propose Mateen, an online learning framework designed to augment the capabilities of offline DAEs, enabling them to recognize and adapt to changing benign network behaviors efficiently and with minimal overhead. Mateen leverages an ensemble of DAEs to monitor and adjust to these changes. It optimizes resource usage by selecting only a few representative samples for updates and reduces the overall framework’s complexity by retaining only the relevant models.We evaluate the effectiveness of Mateen on five network intrusion datasets, each exhibiting different types of benign behavior evolution. The results demonstrate that Mateen consistently enhances offline DAE performance across various evolution types. For instance, Mateen boosts the F1-score on the IDS17 dataset, which exhibits light change, by 4.13%, and on the Kitsune dataset, characterized by heavy change, by 72.6%, while only necessitating labeling for 1% of the incoming samples.
Loading